For many years now I have been very interested in cryptography, and cryptanalysis in particular, and I was pleasantly surprised when I found 'A Self-Study Course in Block Cipher Cryptanalysis' by the established cryptographer Bruce Schneier. I downloaded this paper, and after brushing up on my mathematical theory decided to have a go at the first challenge - the cryptanalysis of 8-round RC5 without any rotations. This paper was written to document my experiences, and if the outcome of this is that only one person is interested enough to take cryptography seriously, it has done its job. I hope you will find this paper useful.

- Martin

Stage 1 - Learning the cipher

As this was my first attempt at some serious cryptanalysis, I wasn't too sure where I was supposed to start. The only resource I had was the original RC5 paper, and a brief one liner in Schneier's paper instructing me to perform cryptanalysis on a weakened version of eight rounds with no rotations. I thought that the best place to start was with the full RC5 and to first learn how this worked.

I printed the RC5 paper, and proceeded to read it thoroughly a few times to make sure I understood it fully. With no distractions, this took approximately a few hours. It was one of the first scientific papers that I had read, and it took some time to get used to the layout and method of writing. However I feel that to be a competent cryptographer you will have to read a large number of papers in this style, so time and effort spent at this stage would improve things later.

Stage 2 - Finding an idea

After understanding how the full RC5 worked, I re-read the paper, this time jotting down notes along the side about how the weakened version differed. While I was doing this, my first idea came to me. My idea was that as the only operation performed in the weakened version was only addition, the plaintext and ciphertext pairs should be fairly resemblant. By this I mean that changing the lower bits of a plaintext word should only affect the lower bits of the ciphertext words. I also wrote this down on the paper, and carried on reading, in case any other ideas came to me. They didn't, but I was left with one idea that I felt must be true. This stage probably took another couple of hours of slow reading and heavy thinking.

Stage 3 - Implementation in code

To check this idea I needed to implement it on the computer. Starting with the original rc5ref.c I converted the key from bytes to words. If I knew more advanced C this step would probably have been unnecessary, but I was sticking to what I knew, and decided it would be worth it. At this stage I also removed the unneeded rotations and slightly changed the format. These were done after checking a full version of RC5 using words against the test vectors given in the paper. Below is the final version of rc5word.c:

After making some minor changes to the code, rc5-bitsweep.c was born. This program swept though the keyspace, setting the entire key to zero, except one single bit, whose position swept through the key from right to left.

If my original idea was correct, then when the lower bits of words one and three were modified, only the lower bits of the ciphertext words should change. Only words one and three would change them as both words zero and one, and two and three are taken as pairs. The results were as follows:

As you can easily see, my initial idea was close, but not completely true. It was true that high order bits of each word in the key only affected high order bits in the ciphertext words, but as you worked through the words towards the least significant bit, my idea seemed to break down. However, some part of my idea was correct, and this spurred me on to investigate more.

Stage 4 - Analysis of the new results

From more careful analysis of the results, I came to the conclusion that there was approximately four bits (one hexadecimal digit) from the odd plaintext words, that affected a corresponding four bits of the ciphertext words. Likewise for the even words. By this I mean that I thought that only the highest four bits of plaintext words one and three affected the highest four bits of both ciphertext words, and so on, jumping through the words from left to right by four bits every time. However, to verify each set of bits, you needed to know the original plaintext (to trial encrypt) and the correct ciphertext (for comparison). Hence, this was a known-plaintext attack. I now had my attack after approximately fifteen hours of concentrated analysis, coding and debugging.

Stage 5 - Breaking the cipher

To verify this analysis I decided to write a brute force password cracker, based upon this idea. However, it would start at the other side of the word (the lowest bits first) and work towards the left. It would try all possible combinations of a block of four bits in all four words of the key, running through the rc5 key expansion procedure, and comparing the appropriate four bits of ciphertext. It would store all correct combinations, and trial each of these combinations against all combinations of the next four bits, discarding any incorrect combinations while storing the correct combinations for the next four bits. I thought that by doing this the possible combinations of key values would gradually decrease until the correct key was found. This resulted in the horrible coding of rc5-crack1.c, with nested for's and if's of up to eight deep. The program generates a pseudo-random key and successfully brute forces it within a short period of time. The awful coding style made debugging incredibly difficult, and is something I would change (after learning better C skills) if I was to repeat.

Calculating...
Found 256 combinations to get 1 correct byte
Found 252 combinations to get 2 correct bytes
Found 312 combinations to get 3 correct bytes
Found 500 combinations to get 4 correct bytes
Found 564 combinations to get 5 correct bytes
Found 460 combinations to get 6 correct bytes
Found 360 combinations to get 7 correct bytes
Found 304 combinations to get 8 correct bytes

Obviously the cipher isn't safe to use, as this weakened version was designed to be broken. However, I found that the cipher was a good starting point to learn cryptanalysis, and many thanks to Bruce Schneier for creating the course. I will now be steadily working my was through the challenges in the cryptanalysis course and possibly documenting my experiences throughout.

One unexpected outcome from the cracking program was the result of many keys that gave the same correct ciphertext. This was not something that I expected, and means that there are further flaws in this weakened version of RC5. Certain different combinations of bits must ultimately have the same effect. I have not performed any analysis of these flaws as of yet, so updates to this paper may arise because of any more research I perform.

Overall, there is probably around twenty hours worth of concentrated work represented here. However, this time was spread over three or so weeks, so there has been much more thinking being done in 'idle' time. I would not yet be able to do all of this in just one or two consecutive days.

Thanks for reading, and I hope you found this an interesting insight into cryptanalysis.

Martin

Last edited by mxb on Mon Jun 11, 2007 6:51 pm; edited 2 times in total

Calculating...
Found 256 combinations to get 1 correct byte
Found 252 combinations to get 2 correct bytes
Found 312 combinations to get 3 correct bytes
Found 500 combinations to get 4 correct bytes
Found 564 combinations to get 5 correct bytes
Found 460 combinations to get 6 correct bytes
Found 360 combinations to get 7 correct bytes
Found 304 combinations to get 8 correct bytes

Nice read. How many collisions did you find for actual rc5 algorithm?This is a tweaked version,right?

Nice read. How many collisions did you find for actual rc5 algorithm?This is a tweaked version,right?

Cheers! I'm glad someone found it interesting!

Yes, this is a tweaked version, the rotations have been removed from the original algorithm. From what I understand it is the rotations that give the security, so this modified variant is supposed to be weak, hence the collisions.

I have not expanded the analysis to the full rc5 algorithm, mainly due to a large work load from university. However, due to the rotations, I think that the full rc5 will be a lot stronger, with few collisions.

Yes, this is a tweaked version, the rotations have been removed from the original algorithm. From what I understand it is the rotations that give the security, so this modified variant is supposed to be weak, hence the collisions.

That's correct; the variable rotations are the focal point of the design of RC5. While the modular addition and bit-wise XOR operations have respective effects on its security, these data-dependent (i.e., plaintext) rotations are the source of non-linearity in RC5; these rotations are to the non-linearity of RC5 what substitution tables are to the non-linearity of many other block ciphers, so perhaps that is the most obvious hint of their importance. Thus, it's easy to comprehend what is likely to happen when you remove the core of non-linearity.

If you haven't already, I would suggest researching the cryptanalysis of RC5 and numerous variants, by Kelsey, Schneier, and Wagner, Knudsen and Meier, Kaliski and Yin, Biryukov and Kushilevitz, and Borst, Preneel, and Vandewalle. These analyses may give you several methodologies for analyzing these variants, and RC5, as it is securely parameterized. By the way - excellent job on preparing a documented cryptanalysis that I hope sparks interest amongst fellow cryptography enthusiasts. I made it a "sticky", and look forward to further additions. Cheers.

wow, all that looks pretty confusing. I have also been interested in all areas of cryptography, especially cryptanalysis. Is all of this difficult to learn? And do you have to be good at maths?

Well, actually I don't think it is that confusing. I'm not sure if others will agree with me though as I was the one who wrote it.

I'm glad that you are interested in cryptography and cryptanalysis as there is always interesting work that can be done. As for answering whether it is difficult to learn depends on your background.

I got to where I am now, which is around the same point that I was when I wrote that post, by self learning. I too have an interest in cryptography and cryptanalysis. I got into cryptography through reading about how it was used throughout history, then progressing onto modern day cryptography which revolves around mathematics and computers. I went out and bought half a dozen or so cryptography books, after reading recommendations on various places around the net. I also self taught myself most of the necessary mathematics, but you may already know some of it through other means such as university. A large part of that post is also C code for analysis programs that I wrote to break the cipher. I already knew C from previous programming experience, but other methods exist if you do not know a programming language.

I don't think you can 'learn' to do cryptanalysis. This is one of the reasons I wrote the original post, to explain what I was doing and why. I found the self-study course on cryptanalysis on the net, and approached it as a series of independent assignments. I sat down with the cipher and just tried to understand it. Once you understand the cipher then you can eventually see why the weakened version in the course is weaker than the full version. You can see the differences and the effects that they have upon the security. Once you finally understand this you can go and poke these differences to observe their effects.

In this case it was actually rather simple. In the weakened cipher the rotations are removed. This means that the only operation on the plaintext is XOR. Therefore modification of the lower bits does not effect the upper bits, they are largely independent. I tried to explain this in my post, and how I followed through this thought into a full break.

In conclusion I would be hesitant to say you have to be good at maths, but an analytical train of thought is definitely an advantage. Like datah has mentioned, enthusiasm is probably the most important thing you could possess. However, I am glad you found it interesting, and feel free to post any other queries you may have. I wish you the best of luck with your adventures into cryptography, and don't feel nervous about posting any questions you have. There are a large number of very talented people on this forum, and they will assist you along the way.

Martin, your RC5 without rotations cryptanalysis is very instructive and wise.
I also took the Schneiers autotutorial journey, and solved the RC5 without rotations
in the exactly same way as you did. I suppose that's what Schneier expected
from this assigment. I also solved RC5 with number of rotations equal to the
round number, and 4 round DES and 6 round DES. The most difficult was
RC5 with number of rotations equal to the round number (for me).

Have worked on any other excersise that B.S. proposed?

I wrote all my solutions in LaTeX, but, I wrote it in my language, so there's
no point posting it here. If I have time, I'll translate it (but my english is not
very good so I'm worried how it will turn out).

I am still learning but I guess I have a few questions (if someone doesn't mind answering them).

So i was attempting the same sort of thing.
I kept my plaintext as 00000000000000
and the key started at all 0, and then i walked a one from right to left to see how that effected the ciphertext.

My output is very close but not the same as you show in rc5-bitsweep.c.

<data removed>

I broke it up by which word was being flipped. (easier on my eyes). Do you see how i have pockets, specifically word1 and word3 where no change is induced. I can post the code as well, i'm just confused why my output is so different.
Thanks.

Hi granite.cow, welcome to SFDC!

I'm glad you are interested in cryptography, there are a number of people here who are extremely talented in this area. Don't worry about your still-learning status, the majority of us are . Remember that there is a lot of information available through past topics, so search before asking a question as it may have already been asked.

Indeed it does seem like there is a small problem with your code somewhere. Without you showing us the code we cannot really help you. As the code may be quite big I would recommend putting it on a web server somewhere and posting a link, rather than making this thread too long with large chunks of code.

I'm sure once you do this, someone will take a look and see if there are any problems.

Key1 is the "pseudo random key" which you try to break. Key2 is the first collision of your rc5-crack program.

Cipher1 is the cipher of the plaintext with Key1 and Cipher2 is the cipher of the plaintext with Key2.
Decipher ist the decipher of the cipher1 but with Key2.

As you can see, you can't use the key-collision for decrypting of any cipherblock, it works just for 00 00 00 [...] and maybe for some other plaintexts/ciphertexts, but you can't encrypt a message with this key-collision.